Intezer researchers link CCleaner hack to Chinese APT17 hackers

Researchers from security firm Intezer speculate that the attack was powered by nation-state actor, likely the Chinese APT17 group.

Security experts continue to investigate the recent attack against the supply chain of the popular software CCleaner.

The hackers first compromised in July a CCleaner server, then exploited it to deliver a backdoored version of the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. It has been estimated that between August 15 and September 12, over 2.27 million users downloaded the tainted version of CCleaner application.

The experts at Cisco Talos team that investigated the incident, while analyzing the command-and-control (C2) server used by the threat actor discovered a lightweight backdoor module (GeeSetup_x86.dll) that was delivered to a specific list of machines used by certain organizations.

The experts discovered that the threat actor that recently compromised the supply chain of the CCleaner software to distribute a tainted version of the popular software targeted at least 20 major international technology firms with a second-stage malware.

The experts analyzed a backup of a deleted database containing information on the infected machines, they discovered that the malicious code infected a total of 1,646,536 machines (based on MAC addresses), but just 40 of them received the second-stage backdoor.

Security experts who investigated the case discovered a link with a Chinese group of hackers.

Now, researchers from Intezer speculate that the attack was powered by nation-state actor, likely Chinese hackers belonging to the Axiom group, also known as APT17 or DeputyDog.

The most popular campaign attributed to the APT17 group is the attack on the Google’s infrastructure, also known as Operation Aurora. For almost a decade the APT17 targeted government organizations in several Southeast Asian countries and the US, NGOs, defense contractors, law firms, IT firms, and mining companies.

According to malware experts at Intezer, the first payload has many similarities with the code used by the Axiom group.

“Not only did the first payload have shared code between the Axiom group and CCBkdr, but the second did as well.” reads the analysis published by Intezer.

The stage 2 payload contains the same portion of code found in APT17 malware and that isn’t included in any public repository.

“The author probably copied and pasted the code, which is what often happens to avoid duplicative efforts: rewriting the same code for the same functionality twice. Due to the uniqueness of the shared code, we strongly concluded that the code was written by the same attacker,” said Intezer.

The researchers concluded that the level of complexity of the attack suggests the involvement of a state-sponsored actor, likely the APT17 group.

“The complexity and quality of this particular attack has led our team to conclude that it was most likely state-sponsored. Considering this new evidence, the malware can be attributed to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout that our technology was able to uncover,” concluded Intezer.